> Hi Amos, > > Thanks very very much for your help. I'm not really trying to authenticate > to an external web site, only Squid is involved. > > What I'm trying to do is: > > 1 http_access allow all > # redirector program > 2 http_access2 allow freesites > 3 http_access2 allow AuthUsers > 4 http_access2 deny all > > - User opens browser. (no auth yet) > - Homepage tries to load, redirector sees no username => redirect to > welcome > page (+ link to google), allowed by acl 2 > - User clicks on the external link => not in acl 2, but allowed by acl 3 > => > Squid asks for auth > - User enters user+pass in browser (proxy-auth), validated by Squid. Squid > has now a valid username and password. > > So far, so good. This all works fine. > - now every next page should pass the redirector as this > > Problem: > Due to acl 1, Squid doesn't pass a username to the rewriter program and > even > after a succesfull auth, the redirector keeps redirecting to the welcome > page due to the missing username. > If I put acl 3 before the redirector, Squid nicely sends the username with > the requested url. > > > Can this be resolved? Yes. By using the right settings in the right way. * Url-rewriter only needs URL. So that is all squid guarantees it. * Other details may or may not exist based on whether squid has any reason to require their use beforehand. * http_access2 _after_ the re-writer is the first place squid needs the login details. They are fetched at that point. Drop the redirector and http_access2 entirely and use this: acl noAuth src all acl AuthUsers proxy_auth REQUIRED http_access allow freesites http_access allow AuthUsers deny_info http://login.mydomain.local/?referer=%s noAuth http_access deny !AuthUsers noAuth http_access deny all What that does, is allow freesites and authenticated users through immediately. For non-authenticated users it redirects them to the login page at http://login.mydomain.local/ with a query parameter 'referer' containing the original URL requested. Amos > -----Original Message----- > From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] > Sent: Monday, April 27, 2009 02:58 > To: Philippe Boeij > Cc: squid-users@xxxxxxxxxxxxxxx > Subject: Re: redirecting unauthenticated users > >> >> Hi, >> >> I have a question. I'd like to have squid configured for the following: >> >> - User opens browser (with squid proxy configured) and gets redirected >> to a login page >> - The browser prompts asks for a proxy username/ password. >> - if the user provided a good username/password, he/she can click on >> an icon to get redirected to the original requested page. >> >> squid.conf (using version 2.7stable5) part: >> >> acl all src all >> acl freesites dstdomain login.mydomain.local >> acl AuthUsers proxy_auth REQUIRED >> >> http_access allow all >> # process redirector program between http_access and >> http_access2, >> # result depends on the fact if a username exists. >> http_access2 allow freesites >> http_access2 allow AuthUsers >> http_access2 deny all >> >> Problem is that this way the redirector program never gets any >> username passed although the user is asked for a user/pass. >> >> This works partially (username gets passed): >> >> http_access allow AuthUsers >> # -> process redirector program between http_access and http_access2 >> http_access2 allow all >> >> But now I can't redirect to a nice welcome page before the >> username/password prompt... >> >> >> Please someone help. >> >> Many thanks. >> >> Philippe >> > > You have a conceptual problem here. > > What you are attempting to do is get the browser to authenticate against > the > proxy by sending authentication details to a web server somewhere else. > > What you need instead is one of two captive portal solutions: > > 1) authenticate against the proxy directly, no fuss. > > http_access allow freesites > http_access deny !AuthUsers > http_access deny all > > > 2) use an external_acl_type helper to perform side-band authentication > based on IP using details gathered from the website login. > > external_acl_type foo ... > acl AuthsUsers external foo > > http_access allow freesites > http_access allow AuthUsers > deny_info http://login.mydomain.local all > http_access deny all > > > (2) has cons in that it assumes you are able to create a working auth > scheme > where experts often fail. Also that every visitor has a unique IP/headers > (no sharing, no NAT) and forgery is ignored. > > Amos > > >
